CVE-2026-48210

### 1. Plain-Language Summary (2-3 sentences): In OTRS 2026.3.1, a default setting forces all forwarded ticket articles to be visible to external customers, and users cannot turn this visibility off. This accidentally exposes internal ticket details (like notes or attachments) to external users through the External Frontend, even when they shouldn't see them. ### 2. Who is Affected: * **Product:** OTRS (Open-source Ticket Request System) * **Version:** Specifically **OTRS 2026.3.1**. Earlier or later versions are not mentioned as affected. ### 3. What an Attacker Could Do: An attacker with access to the OTRS **External Frontend** could view internal information (e.g., agent notes, sensitive attachments, internal communications) within tickets that were forwarded, which should have remained private. This unauthorized exposure could lead to information disclosure breaches. ### 4. Recommended Remediation Steps: 1. **Verify Exposure:** Immediately check if forwarded articles in OTRS 2026.3.1 are visible in the External Frontend despite agent attempts to hide them. 2. **Contact Vendor:** Reach out to the OTRS vendor (OTRS AG) for an official patch or configuration fix. 3. **Apply Patch/Upgrade:** Install the vendor-provided patch as soon as it becomes available. If a fixed version is released (e.g., 2026.3.2+), upgrade to it. 4. **Temporary Workaround (If Possible):** Until a patch is available, **restrict access** to the External Frontend or **disable ticket forwarding** functionality entirely if business